[Yandex Cloud documentation](../../../index.md) > [Yandex BareMetal](../../index.md) > [Step-by-step guides](../index.md) > Servers > Adding a new SSH key for a user

# Adding a new SSH key for a user

When you [lease](server-lease.md) a BareMetal server, the root user’s public SSH key is preconfigured. To connect to the server over SSH, you need a private key corresponding to the authorized public key.

If you lose your private SSH key specified when leasing the server, you can add a new public SSH key to the root user account.

## Create a new SSH key pair {#create-new-key}

Generate a new SSH key pair locally before adding the public key to the BareMetal server to enable root access over SSH:

{% list tabs group=operating_system %}

- Linux/macOS {#linux-macos}

  1. Open the terminal.
  1. Use the `ssh-keygen` command to create a new key:
  
      ```bash
      ssh-keygen -t ed25519 -C "<optional_comment>"
      ```
  
      You can specify an empty string in the `-C` parameter to avoid adding a comment, or you may not specify the `-C` parameter at all: in this case, a default comment will be added.
  
      After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the `.pub` extension, while the private key, in a file without extension.
  
      By default, the command prompts you to save the key under the `id_ed25519` name in the following directory: `/home/<username>/.ssh`. If there is already an SSH key named `id_ed25519` in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.

- Windows 10/11 {#windows}

  If you do not have [OpenSSH](https://en.wikipedia.org/wiki/OpenSSH) installed yet, follow this [guide](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui) to install it.
  
  1. Run `cmd.exe` or `powershell.exe` (make sure to update PowerShell before doing so).
  1. Use the `ssh-keygen` command to create a new key:
  
      ```shell
      ssh-keygen -t ed25519 -C "<optional_comment>"
      ```
  
      You can specify an empty string in the `-C` parameter to avoid adding a comment, or you may not specify the `-C` parameter at all: in this case, a default comment will be added.
  
      After running this command, you will be prompted to specify the name and path to the key files, as well as enter the password for the private key. If you only specify the name, the key pair will be created in the current directory. The public key will be saved in a file with the `.pub` extension, while the private key, in a file without extension.
  
      By default, the command prompts you to save the key under the `id_ed25519` name in the following folder: `C:\Users\<username>/.ssh`. If there is already an SSH key named `id_ed25519` in this directory, you may accidentally overwrite it and lose access to the resources it is used in. Therefore, you may want to use unique names for all SSH keys.

- Windows 7/8 {#windows7-8}

  Create keys using the PuTTY app:
  
  1. [Download](https://www.putty.org) and install PuTTY.
  1. Add the folder with PuTTY to the `PATH` variable:
  
      1. Click **Start** and type **Change system environment variables** in the Windows search bar.
      1. Click **Environment Variables...** at the bottom right.
      1. In the window that opens, find the `PATH` parameter and click **Edit**.
      1. Add your folder path to the list.
      1. Click **OK**.
  
  1. Launch the PuTTYgen app.
  1. Select **EdDSA** as the pair type to generate. Click **Generate** and move the cursor in the field above it until key creation is complete.
  
      ![ssh_generate_key](../../../_assets/compute/ssh-putty/ssh_generate_key.png)
  
  1. In **Key passphrase**, enter a strong password. Enter it again in the field below.
  1. Click **Save private key** and save the private key. Do not share its key phrase with anyone.
  1. Click **Save public key** and save the public key to a file named `<key_name>.pub`.

{% endlist %}

## Add a new key to the root user account {#add-the-new-key}

You can use the following methods for adding a new SSH key.

{% note tip %}

To paste clipboard text to the KVM console, use the **Paste text here** field in the upper right corner.

{% endnote %}

{% list tabs %}

- If you still can log in to the server using your password

  If you can connect to the server as root with the password generated when leasing the server, you can add a new public SSH key without using a Rescue CD:

  1. [Connect](server-kvm.md) to the BareMetal server’s KVM console.
  1. Authenticate as root in the KVM console:

      * When prompted for username, type `root` and press **ENTER**:

          ```bash
          my-server login: root
          ```
      * In the `Password:` prompt that appears, enter the root password generated when leasing the server.
  1. Navigate to the directory containing the root user’s SSH keys. Here is an example:
     
     ```bash
     cd /root/.ssh/
     ```
  1. Replace the `authorized_keys` file contents with your new public SSH key:
     
     ```bash
     echo "<new_SSH_key>" | tee authorized_keys
     ```
     
     To add a new key while keeping exising ones, use the `-a` flag with the `tee` command:
     
     ```bash
     echo "<new_SSH_key>" | tee -a authorized_keys
     ```
     
     {% note info %}
     
     At this stage, you can also [change](reset-password.md) the root password, modify other server OS settings to ensure proper booting and network connectivity, and diagnose and troubleshoot errors.
     
     {% endnote %}
  1. Log out from the root session in the KVM console:

      ```bash
      logout
      ```
  1. Test your new SSH key by using it to connect to the server from your local computer:
     
     ```bash
     ssh root@<server_public_IP_address>
     ```

- If you have no server access

  If you can no longer authenticate as root with the password generated when leasing the server, you can add a new public SSH key using the Rescue CD boot image. Proceed with the following steps in the [KVM console](server-kvm.md).

  To add a new SSH key for root or modify BareMetal server settings:

  1. [Start](rescue-boot.md#boot-up) the server from the Rescue CD image.
     
     In the main SystemRescue menu, select **Boot SystemRescue using default options**, press **ENTER** and wait for SystemRescue to load.
  1. View information about server storage devices, including disks and their partitions:
     
     ```bash
     fdisk -l
     ```
     
     Result:
     
     ```text
     Disk /dev/sda: 838.36 GiB, 900185481216 bytes, 1758174768 sectors
     Disk model: SAMSUNG MZ7GE900
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/0 size (minimum/optimal): 512 bytes / 512 bytes
     Disklabel type: gpt
     Disk identifier: D79F5407-DEEC-4A1D-983F-3AC5********
     
     Device      Start      End         Sectors      Size  Type
     /dev/sda1   2048       614399      612352       299M  BIOS boot
     /dev/sda2   614400     21585919    20971520     10G   Linux filesystem
     /dev/sda3   21585920   34168831    12582912     6G    Linux filesystem
     /dev/sda4   34168832   1732861951  1698693120   810G  Linux filesystem
     
     
     Disk /dev/sdb: 838.36 GiB, 900185481216 bytes, 1758174768 sectors
     Disk model: SAMSUNG MZ7GE900
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/0 size (minimum/optimal): 512 bytes / 512 bytes
     Disklabel type: gpt
     Disk identifier: CDZACB4C-1618-4BAF-A6BB-D2B9********
     
     Device      Start      End         Sectors      Size  Type
     /dev/sdb1   2048       614399      612352       299M  BIOS boot
     /dev/sdb2   614400     21585919    20971520     10G   Linux filesystem
     /dev/sdb3   21585920   34168831    12582912     6G    Linux filesystem
     /dev/sdb4   34168832   1732861951  1698693120   810G  Linux filesystem
     
     Disk /dev/md127: 6 GiB, 6438256640 bytes, 12574720 sectors
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/0 size (minimum/optimal): 512 bytes / 512 bytes
     
     Disk /dev/md126: 9.99 GiB, 10729029632 bytes, 20955136 sectors = 512 bytes
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/0 size (minimum/optimal): 512 bytes / 512 bytes
     
     Disk /dev/md125: 809.88 GiB, 869596659712 bytes, 1698430976 sectors
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/0 size (minimum/optimal): 512 bytes / 512 bytes
     
     Disk /dev/loop: 824.97 MiB, 865046528 bytes, 1689544 sectors
     Units: sectors of 1 * 512 = 512 bytes
     Sector size (logical/physical): 512 bytes / 512 bytes
     I/O size (minimum/optimal): 512 bytes / 512 bytes
     ```
     
     In the example above, the `fdisk` utility displayed information about the `/dev/sda` and `/dev/sdb` physical disks, their partitions, and the partitions of the server’s RAID array: `/dev/md127`, `/dev/md126`, and `/dev/md125`.
     
     The `/dev/sda` and `/dev/sdb` disks are configured in a RAID array, and the `809.88 GiB` `/dev/md125` partition contains the server OS root filesystem. This is the partition you need to mount.
  1. Mount the partition with the BareMetal server OS root filesystem:
     
     ```bash
     mount /dev/md125 /mnt
     ```
  1. Create a new SystemRescue shell environment using the server OS’s previously mounted BareMetal filesystem:
     
     ```bash
     chroot /mnt /bin/bash
     ```
  1. Navigate to the directory containing the root user’s SSH keys. Here is an example:
     
     ```bash
     cd /root/.ssh/
     ```
  1. Replace the `authorized_keys` file contents with your new public SSH key:
     
     ```bash
     echo "<new_SSH_key>" | tee authorized_keys
     ```
     
     To add a new key while keeping exising ones, use the `-a` flag with the `tee` command:
     
     ```bash
     echo "<new_SSH_key>" | tee -a authorized_keys
     ```
     
     {% note info %}
     
     At this stage, you can also [change](reset-password.md) the root password, modify other server OS settings to ensure proper booting and network connectivity, and diagnose and troubleshoot errors.
     
     {% endnote %}
  1. After completing all required operations in the server’s filesystem, exit the recovery environment.
     
     ```bash
     exit
     ```
  1. Unmount the BareMetal server filesystem:
     
     ```bash
     umount /dev/md125 /mnt
     ```
     
     Result:
     
     ```text
     umount: /mnt: not mounted.
     ```
  1. Disable the virtual CD drive in the KVM console:
     
     1. Click the CD icon or select **Media** → **Virtual Media Wizard...** in the top menu of the KVM console window.
     1. In the window that opens, click **Disconnect** under **CD/DVD Media1**.
     1. Click **Close**.
  1. Restart the server:
     
     ```bash
     reboot
     ```
  1. Test your new SSH key by using it to connect to the server from your local computer:
     
     ```bash
     ssh root@<server_public_IP_address>
     ```

{% endlist %}

#### See also {#see-also}

* [Using the Rescue CD diagnostics and recovery tools](rescue-boot.md)
* [Resetting the server root password](reset-password.md)
* [Restoring the OS bootloader](restore-grub.md)
* [Replacing a disk in a RAID array](switch-raid-member.md)